mnemonic security podcast

OpenClaw

mnemonic

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 32:41

The AI agent everyone is talking about.

In this episode of the mnemonic security podcast, Robby is joined by Marius Sandbu, fellow podcaster (CloudFirst Podcast and KI til Kaffen/AI with Coffee) and Cloud Evangelist at Sopra Steria. 

Together, they dive into the potential of agentic technologies, as of now. In particular, they cover OpenClaw, the open-source autonomous AI agent that is one of the most popular repositories on GitHub right now.

The conversation covers key risks, including remote control access, overly broad permissions and supply-chain concerns. As well as enterprise governance challenges, the need for policies and observability across different agent platforms.

They both share what conversations they're having with customers and security teams these days, both with the "gatekeepers" and the "believers". 

Send us Fan Mail

SPEAKER_00

From our headquarters in Oslo, Norway, and on behalf of our host, Robbie Peralta, welcome to the mnemonic security podcast.

SPEAKER_03

I was annoyed that it didn't exist, so I just prompted it into existence. Peter Steinberger, creator of OpenClub. We don't know how much OpenAI paid for it, but it's the most popular repository on GitHub. Ever. The AI agent that runs on your machine and actually does things, not just answers questions. And you can talk to it however you'd like. iMessage, WhatsApp, Slack, IRC, whatever that is. One command to install, unlimited possibilities. What could go wrong? So I put that question to someone who's been living inside this problem professionally. And also the only guy I know who's connected it to his Philips Hue lights at home. Thank you, thank you. Do you actually agree with the NVIDIA CEO that this is actually the new Linux?

SPEAKER_04

I I don't say I would agree totally with that statement because first off, NVIDIA has one goal, and that's of course to sell as much GPU power as possible and allow consumers to burn as much tokens as possible. And of course, pushing consumers to drive more agency workloads is in their benefit, of course. And I'm I don't think that OpenClaw is doing anything revolutionary because a lot of the capabilities that it's using is something that's been there for a while. But I think it's one of the first features or products in the market that actually tries to group together all the genitive AI capabilities into one single product or platform, if you will. And of course, it's the one of the things that I see also becoming open source is that you know we now we have all these two contributors building new capabilities, uh adding new features. So of course, uh even if OpenClaw in the first iteration had a lot of issues and security risks, it's becoming a more and more stable and more um secure platform. So it's uh I think it's gonna be interesting to see like in a year's time how far this piece of software has gotten.

SPEAKER_03

Is there any miss common misconceptions that you've seen? And why, I mean, now that everybody's open sourcing it, why is it significant that it's open source?

SPEAKER_04

Well, uh, if we go into the first part, like common misconception, because of course there's a lot of discussion on social media and all the different articles that I see that, like, okay, open claw is kind of like a security nightmare because it is actually a coding agent that has access to your local machine, and it's all has all these different channels where you can publish and manage it externally, so you can manage it on your phone or on your Slack or any other type of chat communication channel you can set up. But this is also something that other of these coding agents actually have, and even Claude uh Codex and Code also released this remote control feature last week. So you have these ways to get access to that machine. The second part is that okay, these coding agents also run locally on your machine. So, of course, they have access to your file system and all the applications that you have access to. Now, of course, I think that the common misconception, well, open claw is not secure. That's the big thing that a lot of people are saying, but okay, it all depends on how you set it up, setting up properly. You can set it up in a sandbox, which doesn't have access to anything besides a virtual file system, and you can specify what kind of uh external endpoints and services that you communicate to. So, either way, you have a lot of different mechanisms that you can use to actually lock it down so it can only access what you define as uh it should have access to. And of course, you have these new versions from Cisco and VIDIA as well, which adds some additional security capabilities on top. But so I think that's like the main misconceptions that I see a lot of talking about. It's the security part. And of course, also a lot of people like to compare it with Cloud Code and OpenAI codecs, saying that, oh well, those other tools are much better. But again, it's you can't you can have access to the same language models. Of course, there are some uh differences in terms of instructions, but it's you have access to a lot of the same. And of course, I think the main part is becoming open source. Um again, a lot of different other projects as well are open source, which provide some of the same capabilities, so it's not revolutionary there, but I think the main uh big difference is that you get one coding agent that has access to multitude of language models, multitudes of ways to manage it through using channels, and that you have support for skills and MCP as well. So it's uh let's say a box of multiple different integrations that you can use directly on the same platform.

SPEAKER_03

How hard is it to actually set this up? You mentioned VM and sandboxing.

SPEAKER_04

Well, it's it's it's fair, it's fairly simple, depending on which operating system you have. It's like one command line that you run, and then it does this type of interactive uh setup where you can define okay, which language model do you want to connect it to, which communication channel, how do you want to manage it? And then you define uh what kind of permissions you want it to run, and then you get access to a web dashboard that you can go in and set up agents and set up session control and so on. And the same also applies for the all the other options from Nvidia and Cisco as well. It's to like one command line, and you get it up and running quite quickly. But but if you want to have it like in a virtualized environment, sandbox running, there's some additional configuration, but it's not that much work as long as you know the correct parameters.

SPEAKER_03

So this is literally a YouTube video way, like a tutorial. Yeah. But I should not be doing that on my work computer.

SPEAKER_04

No, it's not a good idea. Why not? I don't think your IT department's gonna be fairly uh happy for that. But I think I think the problem is okay, I can install it. Nothing bad is gonna happen unless I give it full permissions and I have full administrator rights on my machine. I can give you one scenario which I saw with this was on social media. There was some VP at Meta which set up OpenClaw against their email or Gmail account, and then it started going in and deleting a bunch of different emails because of the instructions that she gave the chatbot. So, of course, as long as they have, as long as the agent has permission to do so and you give it wrong instructions, well, bad things can happen.

SPEAKER_03

I was really surprised by that story. It's just like you work for Meta and you posted this openly. Like, why? It doesn't make you look uh. But she did get a lot of attention and uh made me smile. So I'm wondering with this connection with I heard that the whole world was sold out for Mac Mini, which I don't understand. What does that Apple product have to do with this?

SPEAKER_04

Yeah, well, there's two parts. Uh, first off, that you can cluster together Mac minis and get a fairly good set of uh virtual remains running, so you can run local language models. Now there's also additional framework that you you can cluster together like three, four, five Mac minis, so and have like uh big virtual graphic cards on to on top, which you can run local language models. But the other part is that you get access to the Mac ecosystem, so iMessage and so on.

unknown

Right.

SPEAKER_04

So that way you can connect OpenClaw to iMessage and manage it remotely from there. Yeah.

SPEAKER_03

And that made them sell out, yeah.

SPEAKER_04

Yeah. And so it's it's not that you use the Mac Mini for local processing, it's just that you get access to those Apple ecosystems. You know, and it looks like it looks nice on your desk, right?

SPEAKER_03

Right, right.

SPEAKER_04

Did you buy one? No, I didn't.

SPEAKER_03

No.

SPEAKER_04

You have this from I I have some dedicated Nooks with some uh like a little bit more graphics uh power or graphics card installed. So it's uh has a little bit more horse horsepower than the regular Mac Mini.

SPEAKER_03

Yeah. When it comes to the the risks associated with this, uh you know, the skills. So you're telling me about virus total and the skills. Run us through the skills risks and any other risks that you see with operating this type of technology.

SPEAKER_04

Yeah, sure. So skills is a fairly new standard in AI terms, at least. Not in personal life, but in AI terms, skills is a fairly new uh term. It was introduced by Entropic um not so long ago, but skills is essentially a markdown file, which can which tries to provide uh how you provide expertise to your virtual agents within a specific uh specific domain. Could be that you have a skill set for how you manage virtual machines, a skill set for how you do security. And these skills contain prompts and ways, how the language models is just like instructions. But of course, these skills can also reference scripts, CLI scripts, command line scripts. And the initial problem what happened was that uh OpenClaw had this marketplace, I don't remember the name Claude, Claude Hub or something, which people can create their own skills, publish it to a marketplace, and people could download them and use them on their own OpenClaw instance. But what we saw is there was a lot of new skills that was published which contained malicious instructions, which could say that okay, I have this skill which is used to manage my Google Cloud or my Google email calendar. So uh when people downloaded the skill, they had a lot of uh hidden instructions and scripts included as part of the skill, which said that okay, when uh agent runs the skill, it would go in, fine-sensitive information in my email or calendar and send it to our third party. And there were thousands of different malicious skills being published to the marketplace. So when they saw that, okay, this is this is becoming a big problem. So what happened was that OpenClaw and Peter, the creator of uh OpenClaw, uh went to the interim partnership with VirusTotal. So now they uh VirusTotal will go in and scan every new skill that's being published to see if there's any type of malicious um malicious content uh as part of the skill that's being published.

SPEAKER_03

Why has nothing really bad happened yet? It's very underwhelming, I feel like, when uh everybody's talking about how you know scary the Segentic future is and everything, but I I've literally the headlines maybe there's just so much other drama going on in the world. Uh I mean, besides that meta incident, there really hasn't been that much else.

SPEAKER_04

Or no, no, not that I've seen. Uh I think it's as I said, I think it's drowning in other things that are happening uh worldwide. Um well, I have one part though that I know happened. Uh AquaSecurity, which is a company that has created an open source framework called Trivi, which is used to scan uh for, let's say, bad configuration or uh bad settings in Terraform code and so on. Now they also have their uh their tool publicly available on GitHub, and their uh GitHub of repository was compromised a couple of weeks ago. What happened was that when you ran and installed Trivi, it would also install OpenClaw automatically because of the way that they compromised the GitHub repository. So even though anything bad didn't happen, but what happened was that all the users that ran Trivi would also install OpenClaw automatically. And uh two weeks later, probably one week from now, or one week back in time, um, their entire GitHub repository was also compromised. Oh, which also made this supply chain attack because a lot of companies are running Tree, and attackers gained access to a lot of different organizations now, and this is now populating it into different organizations and companies worldwide. I which I just read a little bit earlier today on an article. And of course, this might stem from one person inside running OpenClaw and installed a malicious skill, and suddenly some credentials or API keys were sent to somewhere somewhere else, and then okay, now we got access to this GitHub repository, and then we can start moving forward and try to gain access to other parts as well. Could be, I'm speculating, but uh I think this is something that we're gonna see more and more, right? Where some individual could be a developer, could be some working on the IT department or some regular per person working in administration installing this agent, not setting it up properly because you know it requires some skill to understand how you can set it up in a secure manner, and suddenly you give the agent too much access to something, could be application or files or calendar or whatever, and then suddenly you have this malicious skill coming in, and then uh information is flying somewhere else.

SPEAKER_03

We mentioned um Cisco's defense claw, which is supposed to be a more enterprise, uh if I could say enterprise, a more business friendly version of this. What are some of the like legit use cases that you can immediately see there? And are are they the same, I guess, is it the same risks for a business, just a bigger scale than it is for personal use?

SPEAKER_04

Well, let's look at the blast radius. If someone were able to access my open claw instance, of course, the blast radius would be that machine that is running on or my local network. Your light yeah, my Philips U lights. That's the blast radius. Of course, I'm gonna get annoyed, but it's not more than that. Of course, if someone set up an open claw instance running within their infrastructure, exposed it to the internet using some form of community, let's say IRC, you have an agent there, and then someone gets access to that agent and says, Oh, I want you to install this executable file on that machine so that they can get access remotely through some form of VNC view or something like that. And then it's one way to get through your firewall and then get to the inside of your infrastructure. So of course the blast radius can now suddenly become a lot larger. But again, it's I think it's how you set it up properly to make sure that the blast radius is uh as small as possible.

SPEAKER_03

How I assume that companies should be right now sort of scanning their environment for just to make sure that they have governance over who has installed this. That's possible to do, right? Correct?

SPEAKER_04

Yeah, yeah. Most EDR tools you can scan for executables and new installed software. So it's uh as long as you have EDR capabilities in place, it's fairly easy to find if the employees have installed this or not.

SPEAKER_03

What other things would you be doing if you were head of security for a company, knowing what you know on the defensive side, just to make sure that this bad things don't happen through the use of this technology?

SPEAKER_04

Well, we have well we'll always see that employees are fairly a lot of people are really very curious and very forward or very open to try out new things, and they see that, oh, this is something that I can try out, and they try it at home, and then they see different use cases, how they can use this at work as well. And I've had so many talks about this last couple of months saying that, oh, we can't we just install OpenClaw for our business and try to solve these and these issues. But I think it's from a like CISO perspective, see that okay, what kind of alternatives do we have where we can have better control but still try and solve the same use cases? Because the way that I see now, and as you said, like I OpenClaw is not an enterprise-friendly tool, it lacks insight and policies that allow us to manage and control this in a centralized way. So I would look for alternatives if you have a lot of people using OpenClaw, say that okay, what's the use case that you see using this tool for? And secondly, okay, can we have alternatives in place that can provide its capabilities but allow us to manage it properly?

SPEAKER_03

It just makes me, I think we talked about this last time that uh the CISO is the HR for AI usage or should be. Because it would be ideal if you know the developers, and I've had this conversation with uh clients already, that a developer or people in the business come to security and say, I want to do X, Y, and Z, and then they just say no, where they should be saying, Yeah, give me a week and I'll figure it out or something like give me give me some time. What has your experience been with dealing with security teams? Have you met any security teams that have actually taken that responsibility and and done good things so far?

SPEAKER_04

Yeah, yeah. Well, I've met on both parts of that scale. We've had those, I say, gatekeepers saying that no, no, we uh we don't know what this is, and therefore we don't approve it yet, so we'll have to wait. And then we have those other parts saying that okay, this these new capabilities and agents are something that's gonna empower our developers because they see a lot of benefit using it already. So we we need to figure out how we can solve this. So I'm now seeing more and more IT security teams trying to be more proactive, trying to understand the needs of the business and the developers, saying that okay, we need to make sure that we can provide capabilities that allow us to remain control, uh, but still allow them to use these new tools capabilities that are being uh being um delivered to the market. I think that the main problem is that there's so many different tools and agents and capabilities, and there's no single way to let's say govern these agents on a large scale. So it's a fairly fairly young ecosystem. So it also makes it even more complex to manage. Um, so many cases we need to define okay, these are the pre-approved tools that you can use. And if you have a specific use case for a new tool, then we need to discuss it and figure out how we can solve it.

SPEAKER_03

It's like security needs to go in a bunker for a few weeks and just go figure shit out. Uh, but they have to worry about the rest of the real job, which is security operations and everything else that we had to deal with before AI.

SPEAKER_04

And then you come back after those two weeks and the landscape is totally changed, right?

SPEAKER_03

Yeah. Typical. Get used to it, it's not gonna change. Uh I'm gonna I want to get back to the governance part because that's the question I get the most often. How do we govern these things? But another thing I want to talk about is the benefits. You know, you mentioned the benefits to developers. Like AI, I feel like AI has mostly benefited developers of all these cases I've heard. Developers have the the largest change in their daily life. What are some, or first of all, do you agree to that? And second of all, what are some of the other use cases that you've actually seen like value being brought to the business using agentic features?

SPEAKER_04

Yeah, when it comes to agents, I I totally agree that uh I've talked with so many different developer teams saying that uh the use of AI has made their job a lot easier. And of course, with the new improvements, with the new models that are coming constantly, that makes it easier and easier to see all the improvements that they get. And I I saw a blog post on GitHub a couple of weeks ago where they published and research or some research on how much code is automatically approved based upon which kind of language model that they had. I think that when it came to the latest versions of Claude, uh Cloud 4.5 or 4.6, uh, close to 80% of the code was automatically approved because the quality was so good compared to the older versions, which were close to 50, 60 percent. Now, of course, I think there's a lot of ongoing discussions in terms of okay, but how much time does each developer save by using these new tools? And of course, it might not be that they save a lot of time, but of course, it makes it a lot easier for them to actually troubleshoot or understand. And else I think that's gonna give a lot of additional value for security as well. Just like understanding, okay, what kind of security bugs do we have in this code? And just deploying an agent which goes through every part of the source code and tries to see, okay, these and these vulnerabilities are something that we might might not have been able to detect before until we unleash this language model on it.

SPEAKER_03

It's funny because now we're using some technology to make the code. You're probably using the same technology to scan it for vulnerabilities, which is an interesting sort of situation we've ended up at. When a client comes to us and says, hey, we need governance around this, where do we even start? Because I feel like that is the that is probably the top top thing that every security team this year should be putting, using, dedicating some time to is how do you govern this agentic future? What is your answer to that as of the 31st of March 2026?

SPEAKER_04

Yeah. I would say I would say I don't have an answer. I I think the issue is that the the ecosystem is quite fragmented because if we look at developers, they have well GitHub Copilot, uh cursor, cloud code, open AI code codex, so many different AI or developed agent frameworks. Then we have the more let's say line of business automation agents, which are built using some form of agent SDK, so Microsoft Agent Framework or Google Agent Development Kits or Langgraph Langchain, so many there as well. And then we have like the more power users or office users, which use Copilot 365 or Cloud Cowork or something like that. So, of course, we have all these different use cases. Now, which are using genitive AI. And some of them are running agents that interact locally with the machine, some are running in cloud, some are just regular chatbots which has some form of automation. And there's no single way to control all of these using the same set of tools. So we need to create some common guidelines to say that okay, if you run some form of agent, you have to write you have to make sure that you can use the you have to make sure that you have these guidelines in place, follow these rules, might have some uh way to provide insights or uh observability into the how the agents are used, but you need to have multiple ways to manage them properly. So for if you have a lot of agents using GitHub Copilot, well, you need to set up policies there to make sure that you control what kind of features are in place or can be used, what kind of features there, what kind of language models that can be used, what kind of insight that you get to make sure that it's used properly. And you need to set up the same if you want to use um other frameworks using public cloud providers. So when you have something that's talking directly with a language model through their API, which has their own set of tools. So you need to have different toolboxes in place to try to govern these agents across different areas or different parts of the workforce.

SPEAKER_03

It sounds like you are a proponent or you're a fan of the platform team, I guess, then kind of like developers, you know, these guardrails. That needs to be done today, but with AI. And then I do agree to do you use the same people, or should that be a security team now?

SPEAKER_04

Um I haven't figured that out yet. I think it all depends on because it requires it requires a new set of uh expertise or knowledge, if you will, to understand how to use this properly. I think it all depends on how mature the team is. Uh of course, if the platform team is loves to play around with new technology, has a fairly good understanding of the tools and ecosystem finals, put the put the responsibility there. Of course, the central security team is, of course, in most cases still responsible for having these common set of guidelines, if you will. Uh that always that should always be applied to every part of the organization.

SPEAKER_03

There was a report that came out and it was like only 4% of those that have invested in AI, whatever that means under the umbrella term AI, have seen enterprise benefits. Is that still how you look at it? Or what's your view again as of the 31st of March 2026?

SPEAKER_04

Well, I can just start with a simple example, simple example that provides referred investment. I and I'm not trying to advertise for some specific company now, but let's say that we have a certain collaboration platform where you have now virtual agents that can do transcription and do um write uh create meeting notes reference or create a create a summary of the meeting summaries, thank you, and also create to-do lists or to-do tasks automatically. That there just saves a lot of time. Absolutely. Um even though it's probably well, and of course, this is something that these tools are being used every day. And of course, if you can figure okay, how many meetings do we have within this company in a week, how many hours are being saved on a daily basis just by having this single, pretty simple uh virtual agent that is running and collecting all the notes that's being set and creating to do to do tasks automatically. So, of course, pretty simple. And then we have uh use cases to do um automatic uh or OCR, digitalizing paper with content. That's something that still still takes a lot of time because you need to scan the content. Now we have language models that can do this uh 10 times faster and much more accurate compared to traditional OCR. And this that's a fairly good use case, but it's simple. And then we have a lot more complex use cases now, which can uh automatically handle every email that's coming in, uh look at correspondence, and define okay, which direction should this email being sent to. Because let's say you're a municipality, you need to sort out all emails incoming and need to reroute it or redirect it, forward it to the right um um right recipient. Of course, there's some additional use cases that we also see uh sparing save a lot of time. And um I had another use case that I thought of, but now it slipped my mind.

SPEAKER_03

I'll I'll take one for uh that I heard at the conference, um, or two actually, why you think one of them was a it was a guy that was uh trying to revolutionize the renewal process, uh, you know, selling licenses for on behalf of vendors. And he actually uh he has a bunch of junior salespeople and he transcribes everything they're saying, runs it through an agent so that they they get feedback based on their call, uh, which I would be super scared if I had some agent listening to everything I'm saying with my clients. Number one, because that's kind of like a security risk, or it would be in my line of work, but also just because now my boss knows how bad I am at my job. So that was one, and one of the other startups, um, yeah, I you know how call centers are being tricked into giving credentials away and whatnot. Um that it was just analyzing the uh the calls or the you know chats going towards service desk to understand all it's very it's sentiment analysis. Like, are they asking for something? Are they asking for it now? Uh gives them a risk score and it lets the help desk know on the other side that like you are likely trying to, this is likely bullshit, right? Really simple use cases. So I guess the people started with the low-hanging fruits, which is good.

SPEAKER_04

Yeah, and and I I know there's a lot of the use cases in Norway which are using some some simple, some more advanced uh agents that being set up. I know that the public um public roads, Southern Zweg Westin also has some examples that it published online on um webinar that I saw a couple of weeks ago. So I see that I think that uh the most companies have like this uh when they look at AI and say, okay, how can we do some quick wins? We have this specific use case and we have this budget. How can we use AI to try and solve this? And they create a kind of could be fairly simple one. Okay, they get knowledge, they get more understanding, and um then they mature a little bit more in terms of using AI, and then they start to uh add more and more use cases uh on top. So I think that uh after like the 31st of March 2026 and the remaining or remaining of 2026, we'll see a lot more use cases and agents being uh created and also more public references because I think we got to the point where these agents or these language models have much higher accuracy, can handle much more content than they could before. And of course, now that they can interact with uh command line, they can interact with the with a with your machine so they can move around uh in a machine to actually do things that traditional RPA has done before, uh, which much higher accuracy as well compared to the traditional human. I think we'll have more of these, let's say, enterprise use cases being solved with agents.

SPEAKER_03

And uh based on your Stouton's Vivest example, and yeah, they're the ones that control the roads basically, a bunch of cameras reading what are those car car licenses numbers. There's also a case here for what they call it, multimodal, where pictures and voices are being used. So I guess as technology advances in those fields, like I I have for some reason I have a feeling that Google is best with like picture generation and understanding pictures and stuff. Then once that gets really good, then there'll be even more use cases that are going to be available. And it's not just text, I guess.

SPEAKER_04

If that made any sense, yeah, yeah, yeah. So it totally makes sense. And just think about like surveillance, where you can attach a video stream to a language model and see, okay, if there's anything suspicious going on or certain things you actually should look for. Uh the language model cannot and uh let's say let's go good, let's take Google, for example, Gemini. Uh, it can handle upwards to one and a half hour of video content, analyze it and specify okay, what happened in this video, uh, what were the persons involved or objects and that in this view. Let's say, like OCR, that's a capability that multimodal has. We also have now uh language models that create smaller language models that can run on your phone for image recognition. So let's say you're like an electrician working in the field and you need to troubleshoot something, and then you can have an assistant running on your phone, and you can just take a picture of the instrument panel or something that you're troubleshooting, and then the agent can talk to you directly on your phone where you might not have internet access access at all and say, okay, this is the way to troubleshoot this and this.

SPEAKER_03

Awesome. Ah, the feature is so cool.

SPEAKER_04

Yeah, and the the cool part is that we're just getting started because uh if we look at the let's say last year or so, it's quite it's been quite hectic, like so many new capabilities being pushed out. And now we have uh investments up towards 900, uh 9,000 billion dollars. No, billion dollars. 9 trillion dollars. Being invested into building new AI data centers, including two small ones in Norway, but on a global scale. And of course, the the big problem that has been for these big uh AI vendors or AI companies, Google, uh Anthropic, and OpenAI has been access to computing hardware or AI hardware, and now this is being uh solved, and this that means that we'll get new models quicker, stronger, faster, and more powerful compared to the models that we have today.

SPEAKER_03

Yeah. Myus, thank you so much for your time. You're a legend. Uh, and I am as always looking forward to speaking with you next time on the podcast. Take care. Thank you. Thank you for having me. Bye. Ciao.

SPEAKER_02

Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonic.no. Thank you for listening, and we'll see you next time.